U.S. Organizations Targeted by FormBook Malware Campaign

Specific industry sectors in the United States and South Korea have been the main targets in the Formbook malware attacks. However there has been some worry that the malware will be used in more widespread cyberattacks around the world.

So far, the Aerospace industry, defense contractors, and the manufacturing sector have been widely targeted; however, attacks have not been limited to these sectors. The financial services, energy and utility companies, services/consulting firms and educational institutions have also been tageted.

FireEye found several ‘significant campaigns’ in the United States and South Korea and reports that cyberattacks are primarily happening via spam email. The emails being broadcast are generic, as opposed to spear phishing emails at specific targets, although the attacks are concentrated on certain industry sectors.

The malicious attachments used to download and implement FormBook malware are not the same in the United States and South Korea. In the United States, the attackers are mainly using PDF files, Word documents and XLS spreadsheets. The Office documents contain malicious macros, which download the malware when run by end users. The PDF files include an embedded link that, if clicked, will download the malicious software. The emails captured by FireEye spoof DHL and FedEx and appear to contain details of shipments. In South Korea, a campaign has been discovered using .ACE, .ISO, .RAR, and .ZIP files, with the executable attached to the email.

FormBook malware has persistence and can carry out a wide range of functions. It is a keylogger, can record data from the clipboard, steal cookies and passwords, can start and stop processes, force a reboot, extract data from HTTP sessions, take screenshots, and download other files. One campaign has been used to inflict the Nanocore Trojan onto infected devices and technology.

While the chief purpose of FormBook malware seems to be espionage, it can be used in a variety of attacks and nefarious aims. The malware is being used by multiple actors and is being rented using underground marketplaces as malware-as-a-service; complete with a simple to use web interface for compiling executables. Furthermore, the cost of hiring the malware is not high – $29 per month or $299 for a full package professional subscription. The developers claim the malware is advanced Internet activity logging software and supplies users with a “powerful Internet monitoring experience”.

Due to the reasonable price, ease of use, and the wide range of functionality, this malware variant is predicted to become a serious threat to all companies.